Working in IT security since 1986, I have accumulated a very broad range of
engineering experience and expertise in many areas of computer security,
primarily those involving the use of cryptography. Since 1995 I have been
involved in a range of IT security standardization activities, which has given
me the opportunity to work alongside some of the most well-known experts in the
field. As well as authoring various standards documents, in
the past I co-chaired an Internet engineering task force (IETF) security working group (sacred)
and a world-wide web consortium (W3C) working
group on XML key management (xkms),
both of which groups concluded successfully - as they ought.
I was also involved with some anti-spam work as co-chair of the IETF
domain keys identified mail (dkim) working
group and was an invited expert participating in the W3C web security
context working group (wsc), which was
basically a group of security and browser folks who were trying to improve on
the current "padlock" security indicator in browsers.

My involvement in Internet standards has recently increased quite a bit
since I took over in April 2011 as one of two IETF security area directors,
and hence a member of the Internet
Engineering Steering Group, which is the technical management committee of
the IETF. That means I now need to read, and (sort-of) "vote" on all new IETF
RFCs for the next couple of years (or until they chuck me out:-). In one
week
(2011-05-26
telechat), that meant reading and commenting on 623 pages of
Internet-drafts, but that was a bad week - the average is 400 pages every
two weeks.
I'm also a
member of the Internet research steering group (IRSG) which does a somewhat similar job
for the far fewer documents produced by Internet research task force (IRTF) research groups.

Areas of security I've mostly worked on include Public Key Infrastructure
(PKI), authorization and security for web services. In terms of my current
approach to that kind of work, I would generally like to see better deployment
of security technology, even if that appears to come at the expense of
"purity." That represents a bit of a change from the approach we all had when
we first started working on PKI.

Until I started doing more security again recently, I was really more interested in networking and, in
particular, highly-challenged networks (e.g. networking in deep-space as
envisaged by the group working on the InterPlaNet). That work is mainly done in the
context of an IRTF group on delay tolerant networking (DTN) where I
also help out as co-chair. In 2006, I co-authored what we believe is the first
book about delay and disruption tolerant networking. But I
don't just do DTN bureaucracy - I'm also quite involved in most of the security
work being done in that context as well as in the definition of a long-haul
delay tolerant protocol called LTP (RFC 5326) that was used
(by NASA, not me) to talk
to a spacecraft 25 million km away! In that context, what's most
interesting to me is how DTN concepts (and maybe even concrete protocols) might
form a part of the future Internet architecture, especially for its more
challenged nodes (which I reckon will always exist).

In day-to-day terms, other than teaching a bit,
I'm involved in an EU-funded supporting action called
STREWS
where we're trying to bridge between
security researchers and those involved in W3C and IETF
standardisation. STREWS sponsored and arranged (and I
chaired) the
2014 Joint IAB/W3C workshop on Strengthening the Internet
against Pervasive Monitoring
(STRINT).

Pervasive Monitoring (PM) is something that as you can
imagine has taken up a lot of my time in the last 18 months
or so since we started getting a better picture of exactly
how much some government actors are snooping on the Internet.
That however has re-invigorated a lot of Internet security
folks with the result that a lot of good progress has been
made on Internet security in 2013 and 2014. I've been helping
to lead some of that within the IETF where I was the main
author for
RFC 7258
titled "Pervasive Monitoring is an Attack" and
which set the scene (well, I think it did:-) for a number
of other security activities for example, the
IAB statement saying encrypt it all,
the
DNS Privacy working group,
the
TCP increase security
and drafts on
opportunistic security
and on confdientiality for
MPLS.
I think it's fair to say
that the
STRINT workshop
and working to get IETF consensus on
RFC 7258
were both significant enough contributions to all that
happening. I've also been helping out (non-technical help
only, sadly) a bunch of folks who're trying to develop
an open-source hardware security module (HSM)
in order to try provide better confidence in the
implementation of cryptography - that's a fine
project called Cryptech
and you should help them out if you can with funds
or work.

I've also recently started trying to figure out how we can
better bridge between techies and some data protection agency
folks - we had the IPEN workshop
in Berlin in September, organised mainly by the European Data Protection Supervisor and a group
of us are working to see how best to proceed from here.
My main goals there would be that we try help policy folks
to not make technical mistakes and educate technology folks
about the issues policy folks face. And then we'll see what
happens.

In terms of other older projects, the most fun one was
an EU funded DTN project on reindeer tracking and
communications services for the reindeer herders - that was called N4C (Networking for Communications Challenged
Communities) and started in May 2008 for 3 years. We've published the
full results of our N4C trials
in the arctic, including all the code, logs etc. and there's an
informal blog-like description of our 2010 trial
here.

In August 2010, we started a
related project on Information Centric Networking, (in our case based on DTN) -
that's being done as part of a very large EU funded project (an "IP") call SAIL where TCD are working on the so-called
Network of Information (NetInf, in our case a DTN-based ICN just to talk
acronym-babble for a moment:-). SAIL was my main day-to-day project in TCD
until about the end of 2012. We're also doing a little work on yet another EU
funded project on medical informatics, in that case providing a security model
and a content security API - that's the TRANSFoRm project, but our involvement
is quite small there, at least in terms of effort.

Also in 2010, with a couple of partners, I also started up a campus company, Tolerant Networks Ltd. to do
non-research DTN projects. As Tolerant Networks, we're worked with a UK company
called SciSys as a subcontractor on a
European Space Agency (ESA) funded study about the use of DTN protocols in
space. And we subsequently carried out another DTN study for ESA on
potential uses of DTN for (Earth orbiting) satellite. (MUDSAT)

Before all of those I worked on an Enterprise-Ireland funded (2005 technology
development fund) project on sensor networking with delay tolerance (SeNDT - intended to sound like
"scent"), focused mainly on piloting some DTN based technology we had developed
for environmental monitoring, in particular, lake water quality monitoring, but
using delay tolerant protocols.

I'm also on the editorial board of IEEE Internet Computing
magazine. And I'm a Senior Technical Advisor to the
Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG).

From July 2007 until April 2010 I was part-time chief technologist with NewBay software, an excellent company that
provide user generated content management software and services for mobile
network operators. That's a kind of Web 2.0 meets the bell heads gig, which was
interesting, especially when the applications are offered to such large sets of
users (in the millions).

Chief Security Architect
Director of Research
Senior Research Associate

With NewBay I contributed to product architecture and creating product,
services and operational security processes. I also established NewBay's
internal patent scheme and filed a number of patent applications on NewBay's
behalf. (See USPTO applications 20110004924 and 20100064377 if you care;-)

I began with Baltimore as Chief Security Architect, reporting to the
Director of Research (a position I assumed in Spring 2000 until transitioning
to part-time in May 2002 as Senior Research Associate, I only finally quit in
June 2003). With Baltimore my main responsibilities included:

"End-by-hop Data Integrity," Stephen Farrell & Christian Jensen,
Fourth European Workshop on Security and Privacy in Ad hoc and Sensor
Networks, July 2-3, 2007, Cambridge, UK. (Here's the ppt that
Christian used for the presentation at the workshop.)

This is really a minor update of the RAST2003 paper below (events
within weeks of one another don't allow much work in between!).
Supplementary materials are here inlcuding the
conference presentation (ppt).

1989

A note on RFCs as publications: Since I currently work in an academic
institution, people care a lot about peer reviewed publications, but generally
seem not to properly credit documents in the RFC series, so, with the aim of
helping to redress this imbalance, here's a bit of history
about one of the above RFCs. RFC
3281 is a standards-track
document, published in April 2002 based on the 9th
revision of the corresponding Interrnet Draft. The first
version was published in April 1999 and during that three year period
members of the IETFPKIX working
group (with O(100) active pacticipants) publicly commented on the draft many
times, for example, the list archive shows one thread
discussing encoding issues that involved about a dozen different individuals.
Over the entire period, perhaps O(100) independent comments were disposed of.
Google scholar currently (Nov 2014) returns some 611
citations for this RFC.`
The conclusion? Many, though not all, of the documents in the RFC
series are important, high-quality publications that have undergone as thorough
a review as a journal article and the fact that almost all aspects of that
review are publicly archived gives the reader the chance to gain a much more
fully-rounded understanding of the technology and its development.

Other Internet drafts

These are Internet drafts that I co-authored that were a bit interesting but
didn't end up as RFCs for various reasons. They are, of course, all "expired,"
but still more or less available, though you might have to search.

I co-chaired a BoF on trust anchor management at the Chicago IETF (July
2007) - went fairly well but there wasn't enough of a constituency for a
new working group - the PKIX WG subsequently "adopted" this as a work
item.

I take part in the W3C web security
context WG as an Invited Expert. That started in Nov '06, and is aiming
to do something a bit better than a padlock in the browser, though its
difficult to improve such an installed base, so we'll see what happens.

Since they now do something (review all I-Ds on the IESG agenda), its
perhaps worth noting that I'm a member of the IETF security area
directorate.

As co-chair of the DTN research group, I'm also a member of the IRTF Internet Research Steering Group,
(no not that one:-) but its
role is less mature (i.e. it does less:-)

This group had met all its milestones in 2004, but was kept on
life-support in the hope that some IPR would be freed up, but
unfortunately that hasn't happened (as of Oct'05). So the group has now
been closed (Jan'06).

In the now not so recent past, I have been a (more-or-less) active
participant in the following standards activities and organisations: